When you install Anthos Service Mesh, depending on your environment, you either
specify a configuration profile, or you specify an overlay file that sets
the profile for you. The configuration profiles are YAML files that use the
API. The profiles define and configure the features that are installed with
Anthos Service Mesh. The Anthos Service Mesh profiles are overlays of either the
profile (which means no settings) or the
The following profiles are provided with Anthos Service Mesh:
asm-gcp: Use this profile if all of your GKE clusters are in the same project. When you install Anthos Service Mesh with this profile, the following features are enabled:
asm-gcp-multiproject: Use this profile if your GKE cluster is in a Shared Virtual Private Cloud, and you want to add clusters from different projects to Anthos Service Mesh. When you install Anthos Service Mesh using the
The Anthos Service Mesh dashboards in the Cloud Console currently aren't available. However, you can still view logs in Cloud Logging and metrics in Cloud Monitoring for each project.
The Supported default features listed on the Supported features page for the
asm-gcp-multiprojectconfiguration profile are enabled.
asm-multicloud: Use this profile for clusters on other supported environments: Anthos clusters on VMware, Anthos clusters on AWS, Amazon Elastic Kubernetes Service (Amazon EKS), and Microsoft Azure Kubernetes Service (Microsoft AKS). When you install Anthos Service Mesh using the
asm-multicloud.yamlprofile, this enables Supported default features listed on the Supported features page for the
The profiles are located in the
manifests/profiles subdirectory within the
Anthos Service Mesh installation's root directory.
An overlay file is a YAML file containing an
IstioOperator custom resource
(CR) that you use to configure the control plane. You can override the default
configuration and enable supported optional features in an overlay file.
You can layer on more overlays, and each overlay file overrides the
configuration on the previous layers.
When you install or upgrade Anthos Service Mesh using the
istioctl install command,
you can specify one or more overlay files on the command line with the
-f command-line option.
|Don't include multiple CRs in one YAML file||Create separate YAML files for each CR|
Although you can modify the configuration by specifying configuration parameters
on the command-line by using the
--set option to
istioctl install, we
recommend that you use an overlay file so you can store the file in your
version-control system along with your other resource definition files. You need
to keep these files for when you upgrade Anthos Service Mesh so that your service mesh
has the same configuration after the upgrade.
The overlay files on this page are in the
package in GitHub. These files contain common customizations to the profiles.
You can use these files as they are, or you can make additional changes to them
as needed. You can also create your own overlay files, as described in
Customizing the configuration.
When you install Anthos Service Mesh using the Google-supplied
install_asm script, you can
specify one or more overlay files with the
--custom_overlay options. If you don't need to make any changes
to the files, you can use
--option, and the script fetches the file from
GitHub for you. Otherwise, you can make changes to the overlay file, and then
--custom_overlay option to pass it to the
install_asm script. For
examples of using both options, see
To download the
The following steps use
kpt to download the
asm package from the
GitHub repository. If you prefer, you can use
git clone instead.
kptif you haven't already:
gcloud components install kpt
Download the package that contains the files:
kpt pkg get \ https://github.com/GoogleCloudPlatformfirstname.lastname@example.org asm
To enable a feature when you are installing or upgrading Anthos Service Mesh, you
must include both the profile or the overlay file that sets the profile and
the file for the feature you want to enable. The exact command differs
slightly depending on your environment and whether you are using the
install_asm script or the
istioctl install command.
All of the following commands set a revision label on
istiod. A revision label
is in the format
istio.io/rev=asm-176-1. The revision label is used
by the automatic sidecar injector webhook to associate injected sidecars with a
istiod revision. To enable sidecar auto-injection for a namespace,
you label it with a revision matching the revision label on
Enable an egress gateway on GKE on-prem
This example assumes that you have followed the steps in the
Installing Anthos Service Mesh on premises guide
to the point where you install Anthos Service Mesh, and that the
asm package is
in your current working directory. The
egressgateways.yaml file contains the
configuration to enable an egress gateway.
Install Anthos Service Mesh on Anthos clusters on VMware:
istioctl install \ --set profile=asm-multicloud \ -f asm/istio/options/egressgateways.yaml \ --set revision=asm-176-1
Be sure to go back to the Anthos clusters on VMware installation guide to configure the validating webhook, which is required for new installations.
Enable an egress gateway on GKE on Google Cloud
We recommend that you use the
install_asm script to set up standalone
clusters or multiple clusters in the same project. The script uses the
asm-gcp profile, and it sets a revision label on
istiod. This example
assumes that you have followed the
Installing Anthos Service Mesh on GKE
guide to download the version of the
install_asm script on the
release-1.7-asm branch that installs Anthos Service Mesh
To use the
install_asm script to install an egress gateway:
./install_asm \ --project_id PROJECT_ID \ --cluster_name CLUSTER_NAME \ --cluster_location CLUSTER_LOCATION \ --mode install \ --enable_apis \ --option egressgateways
This command runs the script for a new installation, sets the
configures your cluster with the options required by Anthos Service Mesh, enables
Mesh CA (the default certificate authority for new installs),
allows the script to enable the required Google APIs, and fetches the
egressgateways.yaml from GitHub.
Enable an egress gateway on GKE clusters in different projects
install_asm script doesn't support installing Anthos Service Mesh
asm-gcp-multiproject profile, which is the required profile when
you want to configure multiple clusters in different projects for
Anthos Service Mesh.
The following command line assumes that you have followed all the steps in
Multi-project installation and migration
to the point where you install Anthos Service Mesh, and that the
asm package is
in your current working directory.
Install Anthos Service Mesh:
istioctl install \ -f asm/istio/istio-operator.yaml \ -f asm/istio/options/multiproject.yaml \ -f asm/istio/options/multicluster.yaml\ -f asm/istio/options/egressgateways.yaml \ --set revision=asm-176-1
The following files overlay the settings in the
multiproject.yamlfile sets the
asm-gcp-multiprojectprofile. Because this file sets the profile, you need to specify it before the other overlay files.
multicluster.yamlfile configures the settings that Anthos Service Mesh needs for a multi-cluster configuration.
egressgateways.yamlfile configures the egress gateway.
Be sure to go back to the Multi-project installation guide to configure the validating webhook, which is required for new installations.
YAML for optional features
The following sections provide the YAML to enable optional and supported features.
global.mtls.enabled configuration has been removed to avoid issues with
upgrades and to provide a more flexible installation. To enable
peer authentication policy
Direct Envoy to stdout
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: accessLogFile: "/dev/stdout"
For more information, see Enable Envoy's access logging.
For installations on GKE, you can enable Cloud Trace. For detailed pricing information, refer to the Cloud Trace pricing page.
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: enableTracing: true values: global: proxy: tracer: stackdriver
The default sampling rate is 1%, but you can override the default by specifying
tracing.sampling value. The value must be in the range of 0.0 to 100.0 with a
precision of 0.01. For example, to trace 5 requests out of every 10,000, use
The following example shows a sampling rate of 100% (which you would only do for demo or troubleshooting purposes).
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: enableTracing: true defaultConfig: tracing: sampling: 100 values: global: proxy: tracer: stackdriver
Trace context propagation
Although the sidecar proxies can automatically send trace spans, they need some hints to tie together the entire trace. Applications need to propagate the appropriate HTTP headers so that when the proxies send span information, the spans can be correlated correctly into a single trace.
To do this, an application needs to collect and propagate the following headers from the incoming request to any outgoing requests:
For examples propagating the headers, see Trace context propagation.
Create a trace from client with custom ID
To create a trace from a client with a custom ID, use the
curl command to
create a request with an external client and force it show a trace. For example:
curl $URL --header "x-client-trace-id: 105445aa7843bc8bf206b12000100000"
For more information about
x-client-trace-id, refer to the
Egress via egress gateways
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: egressGateways: - name: istio-egressgateway enabled: true
For more information, see Egress Gateways.
Istio Container Network Interface
How you enable the Istio Container Network Interface (CNI) depends on the environment that Anthos Service Mesh is installed on. You also need to enable a network policy.
Enable CNI on GKE
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: cni: enabled: true namespace: kube-system values: cni: cniBinDir: /home/kubernetes/bin excludeNamespaces: - istio-system - kube-system
Enable CNI on Anthos clusters on VMware
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: cni: enabled: true namespace: kube-system values: cni: cniBinDir: /opt/cni/bin excludeNamespaces: - istio-system - kube-system - gke-system
Enable an internal load balancer
For installations on GKE, you can enable an internal load balancer for the Istio ingress gateway.
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: components: ingressGateways: - name: istio-ingressgateway enabled: true k8s: serviceAnnotations: cloud.google.com/load-balancer-type: "internal" service: ports: - name: status-port port: 15020 - name: http2 port: 80 targetPort: 8080 - name: https port: 443 targetPort: 8443
External certificate management on the ingress gateway
For information on enabling external certificate management on the ingress gateway using Envoy SDS, see Secure Gateways.